Introduction

Content Security Policy (CSP) is a security standard intended to prevent some threats, such as Cross-Site Scripting (XSS) attacks etc. When CSP is enabled, it allows to load the contents from the approved sources only. Particularly, it prohibits requests to third-party domains which have not been explicitly allowed.

If you are using ONLYOFFICE Document Server (Integration Edition or Developer Edition) integrated with your web solution, and if CSP is enabled on your web server to improve safety and security measures, the CSP default settings may cause some issues. ONLYOFFICE Online Editors include a number of plugins, some of which use third-party resources and make requests to third-party domains, e.g. the YouTube plugin. As CSP prohibits requests to third-party domains, this prevents plugins from proper working, e.g. block loading YouTube video.

Adding third-party domains to the list of allowed sources

For plugins to work correctly you need to allow requests to certain domains (the full list of domains is available below). This can be done by changing the HTTP header which enables CSP. Depending on the solution that you use, this header can be located in different files. This instruction describes the basic principles, not the individual cases. The header should look like this: